Data Loss Prevention (DLP) involves computer and information security, where DLP systems identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage). DLP systems may be deployed at user endpoint devices, network servers, etc. to inspect information content. DLP systems are designed to detect and prevent the unauthorized use and transmission of confidential information.
Client computer systems and devices, such as personal computers, laptop computers, personal digital assistants, smart phones, etc. are prolific in modern organizations. Often these systems include applications that allow users to create and edit documents, spreadsheets, presentations, databases, etc, which are referred to collectively as “documents.”
When a user edits a document in an application, such as an MSOFFICE™ document edited in MSWORD™, the application creates a temporary application file in the background. The temporary application file is utilized by the application to protect the user from data loss due to an abnormal termination of the application. That is, the temporary application file may be used to recover new/edited content from the temporary file to prevent users from losing prior work.
This behavior of productivity and office applications interferes with real-time data loss prevention systems deployed on endpoint devices. That is, every time a temporary file is written, an endpoint data loss prevention system detects the file creation. The newly created, and temporary, application file may thereafter be scanned by a data loss prevention system for data loss prevention policy violations. When a policy violation occurs, the name of the temporary file is reported in a corresponding data loss prevention incident report. However, temporary file names, such as ‘˜wrd0394575.doc’, are not based on the original file name and thus make it difficult to associate the policy violation with the original document.